Pornhub Users Targeted With Malware Laden Ads

Hackers target ‘millions of PornHub users’ with fake browser updates

Millions of users in the U.S., UK, Canada and Australia are at potential risk, as a hacking group called KovCoreG (best known for distributing Kovter ad fraud malware) recently trapped the users with fake browser and flash updates, according to researchers at Proofpoint who discovered the attack.

For those unaware, Kovter is a multi-purpose malware downloader that can deliver ad fraud malware, ransomware, infostealers, or more.

The KovCoreG group targeted users of Pornhub, one of the world’s most visited adult website, by deceiving them into installing the Kovtar malware that would appear via malicious pop-up ads when they visited some Pornhub webpages. These ads redirected the users to a scam website that was advertising a fake browser update scheme.

The users got different messages for downloading depending on their browser. For instance, Chrome and Firefox users got a fake browser update window, while IE (Internet Explorer) and Microsoft Edge users got a fake Flash update one. The downloadable files were JavaScript (Chrome, Firefox) or HTA (IE, Edge) files that installed Kovter.

Apparently, the attack was active for more than a year until the ad network, Traffic Junky, whose ads were being abused, and the adult site lowered the ads after being notified by Proofpoint.

“The chain begins with a malicious redirect hosted on avertizingms[.]com, which inserts a call hosted behind KeyCDN, a major content delivery network”, Proofpoint writes.

The KovCoreG used ISP and geographical-based filters to isolate only the users they wanted to attack. They said that “malvertising impressions are restricted by both geographical and ISP filtering. For users that pass these filters, the chain delivers a page containing heavily obfuscated JavaScript identical to that used by Neutrino and NeutrAds.”

However, the malicious ads have now been removed by both the ad network and the adult website. According to Proofpoint, the attack is now going on elsewhere.

“Millions of web surfers […] were potentially exposed to ad fraud malware due to the latest series of large-scale KovCoreG group malvertising campaigns,” said Kevin Epstein, the vice president of threat operations at Proofpoint, in a statement.

He continued: “We are pleased that following our notification, the site and advertising network abused in this particular attack worked swiftly to remove the infected content.

“Very few groups have the capability to abuse the advertising chains of some of the world’s most visited websites; however, the KovCoreG group is one of them.

“This discovery underscores that threat actors follow the money and continue to perfect combinations of social engineering, targeting, and pre-filtering to infect new victims.”

Like other malvertising actors, the KovCoreG group is currently focusing on redirecting users to social engineering sites (i.e. fake download), instead of redirecting users to websites hosting exploit kits.

Once again, we see actors exploiting the human factor even as they adapt tools and approaches to a landscape in which traditional exploit kit attacks are less effective. While the payload in this case is ad fraud malware, it could just as easily have been ransomware, an information stealer, or any other malware. Regardless, threat actors are following the money and looking to more effective combinations of social engineering, targeting, and pre-filtering to infect new victims at scale,” concluded Proofpoint.